Meraki Local DNS Android issues

MarkieLawrence
Comes here often

Meraki Local DNS Android issues

We have setup an SSID that uses Merak NAT mode using 10.x.x.x DHCP. We have setup a content filtering to  use a custom DNS of our internal DNS servers to resolve. 

We have setup L2 rules in Firewall & Traffic Shaping to allow this SSID clients access to these servers and local Win2012R2 DNS server on port 53 TCP & UDP

 

Most devices seem to work fine. However some Android devices seem to bypass this and go out to the Meraki DNS 10.254.254.254 and cannot resolve the internal server name.

We understand after some reading that some Android versions with particular secuity updates seem to force connection to encrypted DNS servers (Meraki)  ahead of our local DNS server We have tried to block all ports and protocols to 10.128.128.128 but this does not seem to force to use the local DNS server. The IP address of our WiFi connected clients PDNS is still 10.128.128.128 rather than local

 

Any thoughts as to what we can do to force clients to local DNS servers?

 

Many thanks

1 REPLY 1
Bruce
Kind of a big deal

When you are running an SSID in NAT mode all the clients on the wireless side will be using a DNS server of 10.128.128.128. The AP just acts as a forwarder and forwards those requests to the custom DNS servers that you have defined if the hostnames are not already cached. See here https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/DNS_and_NAT_Mode.

 

What I suspect you are seeing is a browser (e.g. Firefox, Chrome) using DNS over HTTPS (DoH) to server IP addresses defined in Chrome - essentially bypassing the normal DNS mechanism, and your filtering solution. Have a Google of ‘Chrome DoH’ for some more information. Unfortunately this is a difficult one to prevent if it’s on devices you don’t manage.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels